-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/18/11 14:43, Wietse Venema wrote:
> This should be possible with one Postfix
> {SNIP}
> No firewalling needed.
To bring closure to this thread and perhaps benefit others in the future:
As part of a defense-in-depth security strategy a strict IPv4 egress policy was
already in place at the firewall. This firewall policy only permitted egress
IPv4 TCP destined to port 25 from the relayhost.
The solution for enabling native IPv6 delivery without using the IPv4 relayhost
was simply s/relayhost/fallback_relay/ in combination with the existing IPv4
egress firewall policy.
IPv4 egress from Postfix will receive a TCP RST by the firewall and send mail to
the IPv4 address defined fallback_relay, which is permitted by the firewall.
IPv6 traffic destined to TCP port 25 is permitted so this will egress the
firewall without issue.
- From an additional overhead perspective there seems to be none for delivery to
IPv6 enabled MXes; IPv4 only will incur TCP RST from the firewall and behavior
relating to fallback_relay. In practice this seems to be almost instant with no
noticeable delays.
Vick, I owe you an overwhelming thank you for pointing me in the right
direction. I have now achieved the desired behavior/effect. Thank you to the
others who have participated in this thread as well.
- --
- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJN1CY8AAoJENgimYXu6xOHEqkP/3PGJKhz7RRz/iV6IR2M42qJ
LDXIENkC3CJ/kNi6wNxBhJ1Sn4OlGi0ioioeTkezNmsxhcNQucMOuraiFNVP/11B
ZiuuzLqb+g/xdSQXL69k+gm2x7fDIuI+bQkHrKcMCTat+v0Iz1StUpItrPdmW2ZW
6A9nQy/lUY9eUrpylhImS1HzelzU3viA/An4b7fQpt+XesWl7dcdl1t52iN0odOI
BZVOrPl5uZ7lFlIQX8tAQUpbbXqagiqrs9L3KMIR7iRrVOTAw/m/rt91ZjR8rqP5
LRqh0lFycpA4GJ0EPENuRgym8cM9ATqN41yTriQKQLIPuyiM8jmGgom+4XAgTGAv
JjiPFGHIuz2WM9yw7nON6eVy13Gh7Xr9A6XWxvk9OPyHlG3/HkHOOn+2JoQ+ENrJ
ndHE0EkMtRXhrOzQPaVG+9O++njMfDqvLEMOZoBlpSX9saFP9rty8Hm1WQzHvcP4
8Tq190iVoIYZ0/jap2UruhpfxRe4Qe7dmQySoqDuDT97XFULPvBYgPiLf0pCCgz6
Vq+4PNEpLtoCbS48ACg759uSMoqEGz8Ef4LzFfEBTU62esBSNnRI27qzWk8WdPHj
RNg7aTJdtvOqP/3OkMf13XxgYGD59pM//t4YMeXuWOO3kgEX0oVFRjQSFcs2p2CQ
ymqss285LiwjLxwAAN0h
=sXjM
-----END PGP SIGNATURE-----
